Clustering nodes performing similar functions for security policy enforcement within a datacenter is a hard problem. Network administrators today either group nodes together using existing knowledge of the applications running on the nodes, by the tier (Web, App, or DB tier), or by grouping together nodes on the basis of application or service ports open on them. These methods require domain knowledge, knowledge of the network topology, and that the administrator keeps track of all new node and application deployments. As new applications and nodes are added, they have to be moved to an existing cluster of nodes, to enforce security policies.
The difficulty is only compounded by the fact that clusters are not inherently static. Once network administrators have identified a cluster, there is little guarantee that its constituent nodes will continue to behave in a similar way, or that its future traffic patterns will match its past patterns. Thus, when applications and nodes are constantly being added and removed, nodes are shifting between clusters, and the definition of a cluster itself is dynamic, keeping track of clusters becomes time-consuming and tedious.